Microsoft said that a hacking group it's tracking as Storm-2603 is exploiting critical vulnerabilities in the company's SharePoint platform to deploy ransomware.
SharePoint is "a secure, enterprise-grade content management and collaboration platform," according to Microsoft's website, which also describes it as a way to "securely collaborate, sync, and share content." (Essentially: organizations use it to build sites accessed via their intranets.) But those assurances of its security have been undermined by reports of multiple groups exploiting numerous vulnerabilities in the platform.
Microsoft said on July 19 that it was "aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update." Now those vulnerabilities—including CVE-2025-49704, CVE-2025-49706, and bypasses for the patches released to fix them, CVE-2025-53770 and CVE-2025-53771—are being used to deploy the Warlock ransomware.
The company's threat intelligence team said on July 22 that it had "observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon[,] exploiting these vulnerabilities targeting internet-facing SharePoint servers." It updated that report on July 23 to say it had "observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities to deploy ransomware."
Microsoft assigns identifiers to hacking groups with suffixes based on their country of origin (China is Typhoon, North Korea is Sleet, etc.), as well as the nature of their activity (influence operations are Flood while financially motivated groups are Tempest) and other factors. Groups "in development" are given the Storm prefix followed by a numeric sequence; in this case, the resulting identifier is Storm-2603.
"The group that Microsoft tracks as Storm-2603 is assessed with moderate confidence to be a China-based threat actor," the company said. "Microsoft has not identified links between Storm-2603 and other known Chinese threat actors. Microsoft tracks this threat actor in association with attempts to steal MachineKeys using the on-premises SharePoint vulnerabilities. Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives. Starting on July 18, 2025, Microsoft has observed Storm-2603 deploying ransomware using these vulnerabilities."
So what should organizations that rely on SharePoint do to mitigate the risk of joining the list of Storm-2603's victims? Unfortunately, there isn't a one-click solution—Microsoft said they should ensure they're using the latest version of the platform, which is typical for advisories like this, but its advice didn't end with installing a few updates. (Especially since bypasses to some of its fixes have already been found.)
"To stop unauthenticated attacks from exploiting this vulnerability," Microsoft said, "customers should also integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or equivalent solutions) for all on-premises SharePoint deployments and configure AMSI to enable Full Mode[.] Customers should also rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint or equivalent solutions."
Expect to learn more about Storm-2603, the organizations that have been affected by these vulnerabilities, and more as Microsoft's investigation continues.
Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.
